New ransomware strain uses localized demands

McAfee researcher Naganathan Jawahar said that the scam, like most ransomware, purports to be from a law enforcement agency or the FBI, asking users to pay a fine for supposedly hosting banned material on their computers, which the trojan locks up and makes inaccessible. But in the case of the former, local agencies are used to appear more legitimate. Also, the trojan uses a variety of legitimate payment and financial transfer services, including Green Dot, MoneyPak, Paysafecard and Ukash.

“As part of its payload, this Trojan displays a full-screen webpage that covers all other windows, rendering the computer unusable,” Jawahar said. “The image is a fake warning pretending to be from a legitimate institution that demands the payment of a fine.”

He added, however, that paying the “fine” will not necessarily return the computer to a usable state, “so we don’t advise you do so.”

When the ransomware runs, one of several variants of the malware family copies itself to the computer.

“Some variants create [a] shortcut file in the Windows start-up folder to ensure the Trojan loads every time you log on,” Jawahar said. “Some variants may also drop a copy of rundll32.exe in the %USERPROFILE%\application data directory – this file launches the Trojan.”

Then there’s the secret sauce: he added that the trojan can download and run customized DLL payloads, like Lock.dll, which it uses to display a tailored fraudulent message, which the trojan injects into the browser process of Internet Explorer, Chrome and Opera.

Ransomware has been making the rounds in slightly altered form all year, with the law enforcement/banned content gambit a perennial favorite. Meanwhile, Russian hackers have been targeting local medical businesses in Queensland, Australia with malware that hijacks a drive with sensitive information, forcibly encrypting it and demanding thousands to make the data available again.